package com.example.myproject.config;

import com.example.myproject.service.CustomUserDetailsService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.BeanIds;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private CustomUserDetailsService customUserDetailsService;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .userDetailsService(customUserDetailsService); // 使用自定义的UserDetailsService
    }

    @Bean(name = BeanIds.AUTHENTICATION_MANAGER)
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable() // 禁用 CSRF 保护
                .authorizeRequests()
                .antMatchers("/user/login", "/user/register", "/user/verify-code").permitAll() // 允许无条件访问
                .antMatchers("/role/add").access("hasAuthority('add_role') or hasAuthority('SUPER_ADMIN')")
                .antMatchers("/role/edit/**").access("hasAuthority('edit_role') or hasAuthority('SUPER_ADMIN')")
                .antMatchers("/role/search/**").access("hasAuthority('edit_role') or hasAuthority('query_role') or hasAuthority('SUPER_ADMIN')")
                .antMatchers("/role/get").access("hasAuthority('query_role') or hasAuthority('SUPER_ADMIN') or hasAuthority('edit_role')")
                .antMatchers("/role/delete/**").access("hasAuthority('delete_role') or hasAuthority('SUPER_ADMIN')")
                .antMatchers("/customer/add").access("hasAuthority('add_customer') or hasAuthority('SUPER_ADMIN')")
                .antMatchers("/customer/edit/**", "/customer/search/**").access("hasAuthority('edit_customer') or hasAuthority('query_customer') or hasAuthority('SUPER_ADMIN')")
                .antMatchers("/customer/get").access("hasAuthority('query_customer') or hasAuthority('draft_contract') or hasAuthority('SUPER_ADMIN')")
                .antMatchers("/customer/delete/**").access("hasAuthority('delete_customer') or hasAuthority('SUPER_ADMIN')")
                .antMatchers("/user/add").access("hasAuthority('add_user') or hasAuthority('SUPER_ADMIN')")
                .antMatchers("/user/edit/**").access("hasAuthority('edit_user') or hasAuthority('SUPER_ADMIN')")
                .antMatchers("/user/get", "/user/search/**").access("hasAuthority('query_user') or hasAuthority('SUPER_ADMIN')")
                .antMatchers("/user/delete/**").access("hasAuthority('delete_user') or hasAuthority('SUPER_ADMIN')")
                .antMatchers("/right/add").access("hasAuthority('add_right') or hasAuthority('SUPER_ADMIN')")
                .antMatchers("/right/edit/**", "/right/search/**", "/right/delete/**", "/right/assignRoles/**").access("hasAuthority('configure_permission') or hasAuthority('SUPER_ADMIN')")
                .antMatchers("/contract/draft", "/contract/upload","/customer/get").access("hasAuthority('draft_contract') or hasAuthority('SUPER_ADMIN')")
                .antMatchers("/contract/assign/**").access("hasAuthority('assign_sign') or hasAuthority('assign_counter_sign') or hasAuthority('SUPER_ADMIN')")
                .antMatchers("/contract/countersign/**", "listCounterSignContract").access("hasAuthority('counter_sign_contract') or hasAuthority('SUPER_ADMIN')")
                .antMatchers("/contract/finalize", "/contract/name/**/finalize").access("hasAuthority('finalize_contract') or hasAuthority('SUPER_ADMIN')") // 添加定稿合同权限
                .antMatchers( "/contract/download").access("hasAuthority('finalize_contract') or hasAuthority('counter_sign_contract') or hasAuthority('sign_contract')  or hasAuthority('SUPER_ADMIN')") // 添加定稿合同权限
                .antMatchers("/contract/pending_approval", "/contract/pending_approval/query", "/contract/download").access("hasAuthority('approve_contract') or hasAuthority('SUPER_ADMIN')")
                .antMatchers("/contract/pending", "/contract/pending/query").access("hasAuthority('assign_counter_sign') or hasAuthority('SUPER_ADMIN')")
                .antMatchers("contract/searchByStatus/**").access("hasAuthority('query_process') or hasAuthority('SUPER_ADMIN')")
                .anyRequest().authenticated(); // 其他所有路径都需要身份验证
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}
